RE: pushing exploits through the Firewall

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Mike,

So what I think you may be getting at is one of two things:

1. Most BIND exploits are TCP-based, and most sharp firewalls
admins allow only UDP. In this case, no dice.

Three or four years ago there was a UDP based exploit for
BIND, some vuln in recursion I think...anyway go Google. :)

2. Some of the BIND exploits were attacked via overflow in
the protocol headers, so if you are facing a firewall that
does some protocol validation, and DNS is a common/easy one
to do, then you exploit may be blocked over TCP by a protocol
validator that sees a non-RFC compliant/sized header.

3. There's lots of third options that may or may not be
viable. Look for a proxy with CONNECT method enabled to
the outside world, and shove a TCP connection to the BIND
server through their proxy, or Citrix box, or anything
else you can find open.

-ae


> -----Original Message-----
> From: Julian Totzek [mailto:julian.totzek () bristol de] 
> Sent: Monday, February 13, 2006 2:32 PM
> To: Mike Gilligan; pen-test () securityfocus com
> Subject: AW: pushing exploits through the Firewall
>
>
> > Hi group
> > Say a pentester manages to discover a vulnerable version of BIND
> running
> > on
> > an external DNS server and has successfully sourced an 
> exploit for the
> > vuln.
> > I'm curious how it would be possible to launch the exploit 
> against the
> > server when a packet filtering device and stateful 
> inspection Firewall
> sit
> > between the pentester and the vuln host. It would seem at 
> first glance
> > that
> > this is not a viable option. How else might one go about exploiting
> the
> > vuln?
> Hi Mike,
>
> remember, a firewall is mostly controlling the entrance but not the
> application itself. So if there is a exploit running on port 
> UDP 53 the
> firewall will let it pass, cause it only knows port 53 UDP is 
> legitimate
> traffic.
>
> Sometimes there are some kind of filter enabled in firewalls 
> which will
> block these exploits, but normally there is nothing ;-)
>
> So just go for it and try it :-)
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking 
> applications on your 
> website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are 
> futile against web application hacking. Check your website 
> for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks 
> before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------